In an important decision the CJEU has found that the administrator of a Facebook ‘fan page’ was a joint data controller with Facebook Ireland and Facebook Inc, and that a German data protection supervisory authority is competent to assess the lawfulness of data processing carried out by Facebook Germany, applying German data protection law.

The decision in Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16) is likely to have significant implications for Facebook and for those who are using social media sites for certain purposes that go beyond merely personal ones. It may lead to further attempts to sue Facebook UK Limited in this jurisdiction.

Background

This case concerns the liability of administrators of a Facebook ‘fan page’ under German data protection laws. Fan pages are user accounts that can be set up on Facebook by individuals or businesses. Administrators of fan pages can obtain anonymous statistical information on visitors to the fan pages via a function called ‘Facebook Insights’ which Facebook makes available to them free of charge under non-negotiable conditions of use. That information is collected by means of evidence files (‘cookies’) which are active for two years and are stored by Facebook on the hard disk of the computer or on other media of visitors to fan pages.

In November 2011, the supervising data protection authority for Schleswig-Holstein (one of Germany’s “länder” or provinces), the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, “ULD”, ordered Wirtschaftsakademie Schleswig-Holstein GmbH, a private education company, to deactivate a fan page it had set up on Facebook on the grounds that it was collecting cookies from visitors to the fan page and neither the education company nor Facebook Ireland had informed users that their personal data would be processed in this way.

The education company complained about the decision arguing that it was not responsible for processing the personal data or for the cookies which Facebook installed. The ULD dismissed the complaint stating (according to the CJEU decision) that the education company “had made an active and deliberate contribution to the collection by Facebook of personal data relating to visitors to the fan page, from which it profited by means of the statistics provided to it by Facebook” [17].

The German company appealed and case proceeded through the German courts, with the courts finding against the ULD and holding that an administrator of a fan page on Facebook was not a data controller. The case reached the Federal Administrative Court which made a reference to the CJEU for a preliminary ruling on a series of questions. The first two questions were premised on the assumption that the administrator of a fan page on Facebook was not a data controller. The remaining questions related to the issue of jurisdiction and whether the ULD could take steps against Facebook Germany and require it to implementing measures and orders implementing data protection legislation, when Facebook Germany’s sole function was to promote the sale of advertising space on Facebook and it did not process personal data; or whether such steps need to be taken in or involving Ireland, as Facebook Ireland was the entity in a Member State that was responsible for processing the personal data.

Judgment

In a judgment that is reminiscent of the ‘Google Spain’ decision, the CJEU again adopted a broad interpretation of Directive 95/46, consistent with its aim of ensuring “a high level of protection of the fundamental rights and freedoms of natural persons, in particular their right to privacy, with respect to the processing of personal data” ([26] [27]). There were two broad topics dealt with which I have considered in turn below.

Data Controllers

Firstly the issue of ‘data controllers’. The CJEU disagreed with the premise of the initial questions, holding that the education company was a data controller along with Facebook Ireland and that this was the case even though it didn’t have access to the personal data concerned.

The Court’s rationale was that the aim of Directive 95/46 was “effective and complete protection of the persons concerned” ([28], citing Google Spain, C‑131/12, EU:C:2014:317, [34]) and that the concept of a “controller” does not necessarily refer to a single entity and may concern “several actors taking part in that processing, with each of them then being subject to the applicable data protection provisions”.

In the present case the processing of the personal data was to enable Facebook to improve its system of advertising and to enable the fan page administrator to obtain statistics produced by Facebook from the visits to the page, for the purposes of managing the promotion of its activity. For example the fan page administrator would be made aware of the profile of the visitors who like its fan page or use its applications, so that it could offer them more relevant content and develop functionalities likely to be of more interest to them. [34] ‘Facebook’ here refers to both Facebook Inc and Facebook Ireland who are joint data controllers – a matter that the CJEU stated was not challenged (see [30], [33], [34] and [59]).

Unlike an ordinary Facebook user with an ordinary account, the administrator of a fan page created a page that gave Facebook the opportunity to place cookies on the computers or other devices of a persona visiting its fan page, whether or not that person had a Facebook account. [35]

Accordingly, the Court found that administrator’s acts in setting up the fan page had an influence on the processing and contributed to the processing of the personal data of visitors to its page:

“…the creation of a fan page on Facebook involves the definition of parameters by the administrator, depending inter alia on the target audience and the objectives of managing and promoting its activities, which has an influence on the processing of personal data for the purpose of producing statistics based on visits to the fan page. The administrator may, with the help of filters made available by Facebook, define the criteria in accordance with which the statistics are to be drawn up and even designate the categories of persons whose personal data is to be made use of by Facebook. Consequently, the administrator of a fan page hosted on Facebook contributes to the processing of the personal data of visitors to its page.” [36]

It relied on the fact that administrators could ask for – and request the processing of – demographic data such as trends in terms of age, sex and occupation. [37]

The fact that the administrator did not have access to the personal data concerned but only anonymised data was not relevant as:

“Directive 95/46 does not, where several operators are jointly responsible for the same processing, require each of them to have access to the personal data concerned.” [38]

The fact that the administrator, Facebook Inc and Facebook Ireland were joint data controllers did not necessarily imply equal responsibility – the levels of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case [43]. The Court noted that the fan page could be visited by non-Facebook users and held that the fan page administrator’s responsibility for the processing of the personal data of such persons “appears to be even greater, as the mere consultation of the home page by visitors automatically starts the processing of their personal data.” [41]

Jurisdiction

The ULD was entitled to exercise its powers in respect to Facebook Germany as the two conditions set out in Article 4(1) of Directive 95/46 were satisfied.

The first condition is that the controller responsible for the processing of the personal data must have an establishment in the Members State of the supervisory authority. This implies the “effective and real exercise of activity through stable arrangements” and the legal form of the establishment is not the determining factor [54]. In the current case, Facebook Inc., as controller jointly responsible with Facebook Ireland for processing personal data, has a permanent establishment in Germany, namely Facebook Germany, Facebook Germany effectively and genuinely exercises activities in that Member State.

The second condition is that the processing of personal data must be carried out ‘in the context of the activities’ of the establishment in question. The Court held that this cannot be interpreted restrictively in view of the objective pursued by Directive 95/46 of ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data [56]. The processing is not required to be carried out “by” the establishment but only “in the context of the activities of” the establishment [57]. The activities of Facebook Germany in promoting and selling advertising space is are inextricable linked to the processing of the personal data by Facebook Inc and Facebook Ireland, which in the present case related to the installation of cookies to enable Facebook to improve its system of advertising [58]-[60].

Finally the CJEU held that the ULD did not need to call upon its equivalent Irish data protection supervisory authority to intervene before reaching or in order to reach a decision. While the second sub-paragraph of Article 28(6) of Directive 95/46 provided for cooperation, it did not lay down any criterion of priority governing the intervention of one supervisory authority as against another, nor does it lay down an obligation to comply with positions that may have been expressed by the supervisory authority of another Member State [69]. Accordingly, a supervisory authority which is competent under its national law is not obliged to adopt the conclusion reached by a supervisory authority in another Member State in an analogous situation [70].

Comment

This is an important judgment with potentially wide ramifications. The decision on jurisdiction follows the path established in the Google Spain case under the 1995 Directive. Global companies with presence in many Member States cannot evade jurisdiction of such Member States by carrying out all the data processing in only one of them; the test is whether the processing is being carried out ‘in the context of’ the activities of the establishment in each Member State. While the decision related to whether a supervisory authority had power over Facebook Germany, it may well have broader consequences. Assuming the position of Facebook UK is the same as Facebook Germany, there would be a good case for arguing that data protection proceedings could be brought against it in this jurisdiction. This is contrary to the position as it had previously been thought to be (see Richardson v Facebook[2015] EWHC 3154 at [59]).

This decision, reached by reference to Recital 19 of Directive 95/46, is likely to remain unchanged as Recital 22 of the GDPR is in very similar terms in respect of this issue. Recital 22 provides:

“Any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union should be carried out in accordance with this Regulation, regardless of whether the processing itself takes place within the Union. Establishment implies the effective and real exercise of activity through stable arrangements. The legal form of such arrangements, whether through a branch or a subsidiary with a legal personality, is not the determining factor in that respect”.

Not only this, but the territorial scope under the GDPR is expressly wider and it applies in certain situations “regardless of whether the processing itself takes place within the Union” (see, for example, Recital 22 above and Article 3(1)). This is in recognition of the increasing global manner in which goods and services are offered via the internet and designed to meet the aim of the GDPR in protecting data subjects (see for example, Recital 23 ).

The broad view on jurisdiction in the judgment is accompanied by a wide definition of data controller. Some might find it startling that a data controller can be a person who do not even have access to the personal data in issue, or that the education company could be said – in reality – to be ‘determining the purposes and means of processing the data’ . While the CJEU made it clear that merely using social media sites such as Facebook would not make an ordinary Facebook user a joint data controller (see [35]), this will not be of comfort to the administrators of Facebook ‘fan pages’ and others in similar position who, as a result of this decision, should have been complying with the data protection principles under the old regime. Nor can such people rely on the fact that this was a decision under Directive 95/46 and not the GDPR, as the definition of ‘controller’ under Article 4(7) of the GDPR is materially the same as Article 2(1)(d) of the Directive – and there is no reference in either to the controller needing to have access to personal data. If the position is the same under the GDPR, such controllers are “responsible for and must demonstrate compliance with” the data protection principles set out in Article 5(1)(a) to (f) GDPR: the net of those caught by the administrative burden of GDPR compliance continues to grow.

Sara Mansoori is a barrister at Matrix Chambers practising in Media and Information Law.